30 days of training on Citrix ADM! Day 17: SSL Dashboard

I am back, it is day 17.

Picture the scene, you are in the IT team, managing various services. You joke with a colleague, a pinch and punch for the 1st of the month.

Then the phone starts to ring, there seems to be half the world beating a path to your door. They are complaining about access to a web service. Whoops, that’s one of mine!

The users are getting prompted about a certificate when they access a web service. You take a look and see that the TLS certificate expired at midnight yesterday. It would be so handy to have something to get a view of certificates, and even better to have some prompting.

We can fix that!

You have been selected for a training course in Citrix ADM, the goal is to provide you with enough information to be actually dangerous when talking to a customer or client. 30 days is a bit of an arbitrary number, but I am prepared to give you 2 minutes of material, can I get 2 minutes of your time?

I have talked about Fleet management, general analytics, security analytics, AI / ML, Stylebooks, Pooled Capacity, instance advisory upgrade, security advisory, Autoscaling, onboarding, RESTful API, CADS self-managed, Service Graph, Web Transaction Analytics, Config Jobs and Network Reporting.

Today is all about the SSL Dashboard.

Honestly, what are you talking about?

When running a web service on the internet always needs a Certificate. Whenever you access your online banking service, you need to be sure that the connection is encrypted, as the details are sensitive and you don’t want someone else looking at the information.

This has the connection as HTTPS in the address bar, or possibly a padlock somewhere in the browser.

So what? What problem does it solve?

Certificates have three important parameters:

1.??????Validity period

2.??????The URL you typed, the ‘common name’.

3.??????Is it signed by a CA that you trust?

Typically, the only thing that changes is item one. A validity period is normally one or two years, it can be easy to forget about the expiry. Once the certificate expires the user will either get promoted ‘Do you trust this connection’ as the browser will be wary of the connection. Potentially, the service might just stop working altogether.

Why is that a problem? Well, once the trust becomes suspect it is possible for the client to think that a fake version of the site is okay. It is not good to ignore that, For example, a hacker can take advantage of a website with an expired SSL certificate and create a fake website identical to it. They can then use this to harvest credentials and other details.

Who would be interested in this?

Almost any customer uses NetScaler within their infrastructure to provide an internet-based service. That’s everyone, right?

Let me have an example of its use.

The first sample use case is for certificate expiry, it shows (with colours!) what the status is across your ADC estate. In this case, the screenshot is for all your infrastructure, so all the NetScaler appliances that ADM knows about.

It also breaks out expiry into categories, these also offer the click-down option to drill into the details for those that are due to expire in the next 30 days. As shown here.

Ok, what else?

There are several different parameters for certificates, other than those already discussed.

1.??????Signature Algorithm

2.??????SSL Protocols

3.??????Key strength

4.??????CA signed or self-signed

All of these have a bearing on the relative strength of the encryption that the certificate will offer. Different signature algorithms are used in combination with Protocols and keys.

The dashboard can pull out each of these to allow the admin to see where they might have a problem. As all of these options can change from time to time and new standards come out.

An example is that some SSL/TLS Protocols have known vulnerabilities, so SSLv3 is one that should now not be used. The dashboard pulls this out and offers a drill down to see which fall into which category.

For example, here is the full history of SSL and TLS releases:

·??????SSL 1.0 – never publicly released due to security issues.

·??????SSL 2.0 – released in 1995. Deprecated in 2011. Has known security issues.

·??????SSL 3.0 – released in 1996. Deprecated in 2015. Has known security issues.

·??????TLS 1.0 – released in 1999 as an upgrade to SSL 3.0. Planned deprecation in 2020.

·??????TLS 1.1 – released in 2006. Planned deprecation in 2020.

·??????TLS 1.2 – released in 2008.

·??????TLS 1.3 – released in 2018.

Naturally, TLS 1.2 and later is the place to be as of today.

What else?

ADM can also send you notifications to warn you about certificates that are about to expire. Always handy.

What would Sanyukta say?

Here is a short video from Sanyukta, another 7minutes of your time!

Summary.

Having a way to get a high-level view of what certificates you have and how they are defined is a great option. You get the ability to manage your infrastructure and set up some automation to help you stay on top of your environment. With tools like this, you can save time and ensure that you get back to high-value tasks.

Ultimately, it is another killer feature that is enabled with ADM service.

It is free too.

What’s not to like?